Skip to content

A Docker image for testing IAM Roles for Service Accounts (IRSA) using the aws-cli

License

Notifications You must be signed in to change notification settings

avnes/docker-test-irsa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

docker-test-irsa

A Docker image for testing IRSA using the aws-cli

Pre-requisites

  • You are already running an AWS EKS cluster.
  • You have an IAM OpenID Connect Server created by EKS.
  • You have created a IAM role for IRSA testing.

The IAM role should have a Trust relationship that looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/oidc.eks.<AWS_REGION>.amazonaws.com/id/<GUID>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "oidc.eks.<AWS_REGION>.amazonaws.com/id/<GUID>:sub": "system:serviceaccount:test-irsa-ns:test-sa"
        }
      }
    }
  ]
}

Replace <AWS_ACCOUNT_ID>, <AWS_REGION>, and test-irsa-ns (Namespace) and test-sa (ServiceAccount) with your actual values.

Install instructions

  • Copy the full ARN for your IRSA test role.
  • Open test-irsa.yaml in a text editor and replace <FULL_ARN> with the ARN you copied above.
  • Apply test-irsa.yaml to your EKS cluster:
kubectl config set-context --current --namespace=<namespace>
kubectl apply -f test-irsa.yaml

This will create a namespace called test-irsa-ns with a pod inside.

Test instructions

Get inside the pod

kubectl config set-context --current --namespace=<namespace>
POD_NAME=$(kubectl get pod --no-headers -o custom-columns='NAME:.metadata.name')
kubectl exec --stdin --tty $POD_NAME -- /bin/bash

Find your IAM identity

aws sts get-caller-identity

You should then see something like:

{
    "UserId": "<USER_ID>",
    "Account": "<ACCOUNT_ID>",
    "Arn": "arn:aws:sts::<ACCOUNT_ID>:assumed-role/TestIRSA/botocore-session-<SESSION_ID>"
}

Removal instructions

kubectl delete -f test-irsa.yaml

About

A Docker image for testing IAM Roles for Service Accounts (IRSA) using the aws-cli

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages